TechRepublic’s Editor in Chief, Jason Hiner, has designated the “Internet of Things” otherwise known as “Machine to Machine” technology as TechRepublic’s global topic for January:

The Internet of Things is all about sensors that can connect lots of formerly-mundane objects to the Internet and automatically send their data to IT systems for analysis. The objects can be everything from health care monitors to traffic lights to thermostats to trains.

As the guy who covers IT security, you may be wondering why I’m even interested. Well, as Jason pointed out; health care uses many “things,” several of which are near and dear to my heart.

Since my heart surgery in 2007, I’ve been interested in medical-computing technology and how patient treatment has improved due to the advances. I even wrote an article about my experience just days after my release from the hospital, “Wireless technology played a big role in my surgery.” My son questioned my judgment releasing an article that soon — something about OxyContin.

So last summer, when a colleague told me about “Attack Surface: Healthcare and Public Health Sector,” a report released by the Department of Homeland Security; I immediately read it, wondering what “Attack Surface” meant. Here’s what I found:

[A] major concern to the Healthcare and Public Health (HPH) Sector is exploitation of potential vulnerabilities of medical devices on Medical IT networks (public, private and domestic).

It gets worse:

These vulnerabilities may result in possible risks to patient safety and theft or loss of medical information due to the inadequate incorporation of IT products, patient management products, and medical devices onto Medical IT Networks. Misconfigured networks or poor security practices may increase the risk of compromised medical devices.

The report then proceeds to explain why:

  • There are legacy medical devices deployed prior to enactment of the Medical Device Law in 1976, that are still in use today.
  • Many newer devices have undergone rigorous Food and Drug Administration (FDA) testing procedures and come equipped with design features which facilitate their safe incorporation onto Medical IT networks. However, these secure design features may not be implemented during the deployment phase due to complexity of the technology or the lack of knowledge about the capabilities.
  • In an era of budgetary restraints, healthcare facilities frequently prioritize more traditional programs and operational considerations over network security.
  • Because these medical devices may contain sensitive or privacy information, system owners may be reluctant to allow manufacturers access for upgrades or updates. Failure to install updates lays a foundation for increasingly ineffective threat mitigation as time passes.

I made a mental note to get back to this and see if there was a story that needed telling. Since then, I’ve compiled quite a file about the subject. But I must confess, I wasn’t planning to write an article just yet. Then, on Christmas Day, Google Alerts informed me of a Washington Post article by Robert O’Harrow Jr., “Health-care sector vulnerable to hackers, researchers say.”

In the article, O’Harrow quotes Avi Rubin, a computer scientist and director of Information Security Institute at John Hopkins University as saying:

I have never seen an industry with more gaping security holes. If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress.

It just so happens

Just before Christmas, I emailed Denis Foo Kune. He was my expert source on “Locating cell-phone owners the non-GPS way.” I wanted to congratulate Denis on receiving his doctorate, and ask for his help on this article. It is also when I found out that Denis now works for Professor Kevin Fu. And…

Dr. Fu is a leading authority on the vulnerability of medical devices and computers used by health-care providers. Dr. Fu, a member of NIST’s Information Security & Privacy Advisory Board, is quoted in just about every document I have accumulated on this issue.

I also learned Dr. Fu and his entire research group, including Denis, just moved to the University of Michigan where Dr. Fu has been instrumental in creating the first graduate course dedicated to medical-device security. Even amid all the turmoil of moving, Denis and Shane Clark (one of Dr. Fu’s PhD students) agreed to answer a few questions.

Kassner: There appears to be three distinct areas of concern: medical devices (implantable or otherwise), computers used by health care providers, and electronic medical record management systems. Would you explain what the concerns are for each?
Foo Kune and Clark: The main concerns as we see it for the 3 types of devices you mentioned are as follows:

  • For devices that have an actuation directly affecting the patient (think infusion pump or defibrillator), we are worried about safety and security.
  • For computers used by clinicians in hospitals, some of the main concerns are the lack of updates and standard computer security measures, which leave the systems vulnerable to garden variety malware.
  • For machines that handle the electronic medical records, the main concern would be privacy.

Kassner: O’Harrow quoted Dr. Rubin in his article as flat out stating many of these issues no longer exist in other professional venues — the financial industry, for example. Why is the health-care field so far behind?
Foo Kune and Clark: From our understanding, Professor Rubin was saying that other fields have progressed faster in terms of security, than the health-care industry. We only have limited visibility into the industry and, beyond the misconception about the FDA requirements regarding patches (Dr. Fu has a blog post about this issue). Industry manufacturers may perceive little benefit, and possibly serious implications in issuing security updates.

In addition, there seems to be little reward from the marketplace for securing devices. In fact, one medical device manufacturer even has statements that could discourage additional security measures. See this blog post.

Kassner: When I had my heart surgery, I bugged the nurses and technicians incessantly, asking about the monitors and wireless systems they used. One key point I discovered — equipment directly involved with patient care was isolated from other hospital networks and the Internet.

From what I have read in several of the research papers listed on the Security and Privacy Research Group’s website, newer medical devices have the ability to communicate with the medical staff directly or via a third-party provider. What implications do you see resulting from that capability?

Foo Kune and Clark: First, non-networked systems are not necessarily secure. Worms spreading via USB sticks can easily infect those devices.

The ability for a medical device to communicate directly with legitimate remote stations has to be balanced with the increased attack surface offered by network connectivity. If properly implemented using appropriate security measures, the connected capability of devices can bring great benefits to patients.

Kassner: You mentioned the FDA — the government body that regulates medical devices — in an earlier answer. You also mentioned there was a misconception about FDA requirements regarding updates. Would you please explain what you meant?
Foo Kune and Clark: The FDA making clear that updates are a good thing is very helpful. We just have to get the word out to more folks. The misconception is that updates on medical devices will require a re-certification. The truth is that most updates will fall below the FDA review threshold.  In fact, the FDA encourages manufacturers to issue regular updates.
There is another issue creeping in: the lack of an effective mechanism to report post-market security events. The current method using the FDA’s MAUDE database, while helpful, is not focused on security.

The next version database does not focus on security either, making it harder for security researchers to get good data. Part of the reason might be clinicians are not trained to recognize security events, and even if the database did focus on security, the data collection process could be challenging.

Kassner: I’m just starting to see the complexity of this challenge. Devices and computers are saving lives — I know up close and personal — so they can’ be shut off or not used. What do you see as the answer?
Foo Kune and Clark: Increased complexity is a problem. The resulting improved functionality needs to be balanced with designs that take security into consideration. In this case, starting the security development as early in the design process as possible — when the system is still conceptual, less complex, and easier to reason about — can improve the security of that system.
Kassner: I have faith that this will be sorted out. But until then, I wondered if there is anything we personally can do to reduce the risk. If someone close to you required major surgery, what would you do to assure yourself that every possible precaution was taken?
Foo Kune and Clark: Right now patients requiring therapy delivery from medical devices are much better off with the current devices than without. With that said, there is still a huge amount of work in improving the security design of medical devices.

Final thoughts

I have been known to go on about security being at odds with convenience. I must admit I’ve been remiss in not extolling the same concern about security being at odds with complexity. For everyone’s sake, what’s happening with medical devices, health-care computing devices, and the movement towards “machine to machine” technology needs to be a wake-up call.

I want to extend a special thanks to Dr. Fu, Dr. Foo Kune, and Mr. Clark for helping me with this article.